1. No category

Chapter 17: Confinement Problem - Welcome to nob.cs.ucdavis.edu!

Chapter 17: Confinement
Problem
•
•
•
•
•
What is the problem?
Isolation: virtual machines, sandboxes
Detecting covert channels
Analyzing covert channels
Mitigating covert channels
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-1
Overview
• The confinement problem
• Isolating entities
– Virtual machines
– Sandboxes
• Covert channels
– Detecting them
– Analyzing them
– Mitigating them
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-2
Example Problem
• Server balances bank accounts for clients
• Server security issues:
– Record correctly who used it
– Send only balancing info to client
• Client security issues:
– Log use correctly
– Do not save or retransmit data client sends
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-3
Generalization
•
•
•
•
Client sends request, data to server
Server performs some function on data
Server returns result to client
Access controls:
– Server must ensure the resources it accesses on behalf
of client include only resources client is authorized to
access
– Server must ensure it does not reveal client’s data to
any entity not authorized to see the client’s data
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-4
Confinement Problem
• Problem of preventing a server from leaking
information that the user of the service
considers confidential
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-5
Total Isolation
• Process cannot communicate with any other
process
• Process cannot be observed
Impossible for this process to leak information
– Not practical as process uses observable
resources such as CPU, secondary storage,
networks, etc.
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-6
Example
• Processes p, q not allowed to communicate
– But they share a file system!
• Communications protocol:
– p sends a bit by creating a file called 0 or 1, then a
second file called send
• p waits until send is deleted before repeating to send another
bit
– q waits until file send exists, then looks for file 0 or 1;
whichever exists is the bit
• q then deletes 0, 1, and send and waits until send is recreated
before repeating to read another bit
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-7
Covert Channel
• A path of communication not designed to be
used for communication
• In example, file system is a (storage) covert
channel
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-8
Rule of Transitive Confinement
• If p is confined to prevent leaking, and it
invokes q, then q must be similarly confined
to prevent leaking
• Rule: if a confined process invokes a second
process, the second process must be as
confined as the first
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-9
Lipner’s Notes
• All processes can obtain rough idea of time
– Read system clock or wall clock time
– Determine number of instructions executed
• All processes can manipulate time
– Wait some interval of wall clock time
– Execute a set number of instructions, then block
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-10
Kocher’s Attack
• This computes x = az mod n, where z = z0 … zk–1
x := 1; atmp := a;
for i := 0 to k–1 do begin
if zi = 1 then
x := (x * atmp) mod n;
atmp := (atmp * atmp) mod n;
end
result := x;
• Length of run time related to number of 1 bits in z
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-11
Isolation
• Present process with environment that appears to
be a computer running only those processes being
isolated
– Process cannot access underlying computer system, any
process(es) or resource(s) not part of that environment
– A virtual machine
• Run process in environment that analyzes actions
to determine if they leak information
– Alters the interface between process(es) and computer
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-12
Virtual Machine
• Program that simulates hardware of a
machine
– Machine may be an existing, physical one or an
abstract one
• Why?
– Existing OSes do not need to be modified
• Run under VMM, which enforces security policy
• Effectively, VMM is a security kernel
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-13
VMM as Security Kernel
• VMM deals with subjects (the VMs)
– Knows nothing about the processes within the VM
• VMM applies security checks to subjects
– By transitivity, these controls apply to processes on VMs
• Thus, satisfies rule of transitive confinement
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-14
Example 1: KVM/370
• KVM/370 is security-enhanced version of
VM/370 VMM
– Goal: prevent communications between VMs of
different security classes
– Like VM/370, provides VMs with minidisks,
sharing some portions of those disks
– Unlike VM/370, mediates access to shared
areas to limit communication in accordance
with security policy
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-15
Example 2: VAX/VMM
• Can run either VMS or Ultrix
• 4 privilege levels for VM system
– VM user, VM supervisor, VM executive, VM
kernel (both physical executive)
• VMM runs in physical kernel mode
– Only it can access certain resources
• VMM subjects: users and VMs
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-16
Example 2
• VMM has flat file system for itself
– Rest of disk partitioned among VMs
– VMs can use any file system structure
• Each VM has its own set of file systems
– Subjects, objects have security, integrity classes
• Called access classes
– VMM has sophisticated auditing mechanism
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-17
Problem
• Physical resources shared
– System CPU, disks, etc.
• May share logical resources
– Depends on how system is implemented
• Allows covert channels
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-18
Sandboxes
• An environment in which actions are
restricted in accordance with security policy
– Limit execution environment as needed
• Program not modified
• Libraries, kernel modified to restrict actions
– Modify program to check, restrict actions
• Like dynamic debuggers, profilers
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-19
Examples Limiting Environment
• Java virtual machine
– Security manager limits access of downloaded
programs as policy dictates
• Sidewinder firewall
– Type enforcement limits access
– Policy fixed in kernel by vendor
• Domain Type Enforcement
– Enforcement mechanism for DTEL
– Kernel enforces sandbox defined by system
administrator
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-20
Modifying Programs
• Add breakpoints or special instructions to
source, binary code
– On trap or execution of special instructions,
analyze state of process
• Variant: software fault isolation
– Add instructions checking memory accesses,
other security issues
– Any attempt to violate policy causes trap
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-21
Example: Janus
• Implements sandbox in which system calls
checked
– Framework does runtime checking
– Modules determine which accesses allowed
• Configuration file
– Instructs loading of modules
– Also lists constraints
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-22
Configuration File
# basic module
basic
# define subprocess environment variables
putenv IFS=”\t\n “ PATH=/sbin:/bin:/usr/bin TZ=PST8PDT
# deny access to everything except files under /usr
path deny read,write *
path allow read,write /usr/*
# allow subprocess to read files in library directories
# needed for dynamic loading
path allow read /lib/* /usr/lib/* /usr/local/lib/*
# needed so child can execute programs
path allow read,exec /sbin/* /bin/* /usr/bin/*
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-23
How It Works
• Framework builds list of relevant system calls
– Then marks each with allowed, disallowed actions
• When monitored system call executed
– Framework checks arguments, validates that call is allowed for
those arguments
• If not, returns failure
• Otherwise, give control back to child, so normal system call proceeds
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-24
Use
• Reading MIME Mail: fear is user sets mail reader to
display attachment using Postscript engine
– Has mechanism to execute system-level commands
– Embed a file deletion command in attachment …
• Janus configured to disallow execution of any
subcommands by Postscript engine
– Above attempt fails
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-25
Sandboxes, VMs, and TCB
• Sandboxes, VMs part of trusted computing
bases
– Failure: less protection than security officers,
users believe
– “False sense of security”
• Must ensure confinement mechanism
correctly implements desired security policy
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-26
Covert Channels
• Shared resources as communication paths
• Covert storage channel uses attribute of shared resource
– Disk space, message size, etc.
• Covert timing channel uses temporal or ordering relationship among
accesses to shared resource
– Regulating CPU usage, order of reads on disk
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-27
Example Storage Channel
• Processes p, q not allowed to communicate
– But they share a file system!
• Communications protocol:
– p sends a bit by creating a file called 0 or 1, then a second file
called send
• p waits until send is deleted before repeating to send another bit
– q waits until file send exists, then looks for file 0 or 1; whichever
exists is the bit
• q then deletes 0, 1, and send and waits until send is recreated before
repeating to read another bit
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-28
Example Timing Channel
• System has two VMs
– Sending machine S, receiving machine R
• To send:
– For 0, S immediately relinquishes CPU
• For example, run a process that instantly blocks
– For 1, S uses full quantum
• For example, run a CPU-intensive process
• R measures how quickly it gets CPU
– Uses real-time clock to measure intervals between access to shared
resource (CPU)
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-29
Example Covert Channel
• Uses ordering of events; does not use clock
• Two VMs sharing disk cylinders 100 to 200
– SCAN algorithm schedules disk accesses
– One VM is High (H), other is Low (L)
• Idea: L will issue requests for blocks on cylinders 139 and 161 to be
read
– If read as 139, then 161, it’s a 1 bit
– If read as 161, then 139, it’s a 0 bit
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-30
How It Works
• L issues read for data on cylinder 150
– Relinquishes CPU when done; arm now at 150
• H runs, issues read for data on cylinder 140
– Relinquishes CPU when done; arm now at 140
• L runs, issues read for data on cylinders 139 and 161
– Due to SCAN, reads 139 first, then 161
– This corresponds to a 1
• To send a 0, H would have issued read for data on cylinder
160
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-31
Analysis
• Timing or storage?
– Usual definition  storage (no timer, clock)
• Modify example to include timer
– L uses this to determine how long requests take to complete
– Time to seek to 139 < time to seek to 161  1; otherwise, 0
• Channel works same way
– Suggests it’s a timing channel; hence our definition
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-32
Noisy vs. Noiseless
• Noiseless: covert channel uses resource
available only to sender, receiver
• Noisy: covert channel uses resource
available to others as well as to sender,
receiver
– Idea is that others can contribute extraneous
information that receiver must filter out to
“read” sender’s communication
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-33
Key Properties
• Existence: the covert channel can be used to send/receive information
• Bandwidth: the rate at which information can be sent along the channel
• Goal of analysis: establish these properties for each channel
– If you can eliminate the channel, great!
– If not, reduce bandwidth as much as possible
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-34
Step #1: Detection
• Manner in which resource is shared controls
who can send, receive using that resource
–
–
–
–
Noninterference
Shared Resource Matrix Methodology
Information flow analysis
Covert flow trees
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-35
Noninterference
• View “read”, “write” as instances of
information transfer
• Then two processes can communicate if
information can be transferred between
them, even in the absence of a direct
communication path
– A covert channel
– Also sounds like interference …
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-36
Example: SAT
• Secure Ada Target, multilevel security policy
• Approach:
– (i, l) removes all instructions issued by subjects dominated by
level l from instruction stream i
– A(i, ) state resulting from execution of i on state 
– .v(s) describes subject s’s view of state 
• System is noninterference-secure iff for all instruction
sequences i, subjects s with security level l(s), states ,
A((i, l(s)), ).v(s) = A(i, ).v(s)
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-37
Theorem
• Version of the Unwinding Theorem
• Let  be set of system states. A specification is
noninterference-secure if, for each subject s at security
level l(s), there exists an equivalence relation :  such
that
– for 1, 2  , when 1  2, 1.v(s) = 2.v(s)
– for 1, 2   and any instruction i, when 1  2, A(i, 1)  A(i,
2 )
– for    and instruction stream i, if (i, l(s)) is empty, A((i, l(s)),
).v(s) = .v(s)
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-38
Intuition
• System is noninterference-secure if:
– Equivalent states have the same view for each
subject
– View remains unchanged if any instruction is
executed
– Instructions from higher-level subjects do not
affect the state from the viewpoint of the lowerlevel subjects
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-39
Analysis of SAT
• Focus on object creation instruction and
readable object set
• In these specifications:
–
–
–
–
s subject with security level l(s)
o object with security level l(o), type (o)
 current state
Set of existing objects listed in a global object
table T()
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-40
Specification 1
• object_create:
[  = object_create(s,o,l(o),(o),)   ≠  ]

[ o  T()  l(s) ≤ l(o) ]
• The create succeeds if, and only if, the object does not yet exist and the
clearance of the object will dominate the clearance of its creator
– In accord with the “writes up okay” idea
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-41
Specification 2
• readable object set: set of existing objects that subject
could read
– can_read(s, o, ) true if in state , o is of a type that s can read
(ignoring permissions)
• o  readable(s, )  [ o  T() 
(l(o) ≤ l(s))  (can_read(s, o, ))]
• Can’t read a nonexistent object, one with a security level
that the subject’s security level does not dominate, or
object of the wrong type
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-42
Specification 3
• SAT enforces tranquility
– Adding object to readable set means creating new object
• Add to readable set:
[o  readable(s, )  o  readable(s, )]  [ =
object_create(s,o,l(o),(o),)  o  T()  l(s) ≤ l(o) ≤ l(s)  can_read(s,
o, )]
• Says object must be created, levels and discretionary access controls
set properly
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-43
Check for Covert Channels
• 1, 2 the same except:
– o exists only in latter
– (l(o) ≤ l(s))
• Specification 2:
– o  readable(s, 1) { o doesn’t exist in 1}
– o  readable(s, 2) { (l(o) ≤ l(s)) }
• Thus 1  2
– Condition 1 of theorem holds
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-44
Continue Analysis
• s issues command to create o with:
– l(o) = l(s)
– of type with can_read(s, o, 1)
• 1 state after object_create(s, o, l(o), (o), 1)
• Specification 1
– 1 differs from 1 with o in T(1)
• New entry satisfies:
– can_read(s, o, 1)
– l(s) ≤ l(o) ≤ l(s), where s created o
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-45
Continue Analysis
• o exists in 2 so:
2 = object_create(s, o, 2) = 2
• But this means
[ A(object_create(s, o, l(o), (o), 2), 2) 
A(object_create(s, o, l(o), (o), 1), 1) ]
– Because create fails in 2 but succeeds in 1
• So condition 2 of theorem fails
• This implies a covert channel as system is not
noninterference-secure
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-46
Example Exploit
• To send 1:
– High subject creates high object
– Recipient tries to create same object but at low
• Creation fails, but no indication given
– Recipient gives different subject type permission to read, write
object
• Again fails, but no indication given
– Subject writes 1 to object, reads it
• Read returns nothing
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-47
Example Exploit
• To send 0:
– High subject creates nothing
– Recipient tries to create same object but at low
• Creation succeeds as object does not exist
– Recipient gives different subject type permission to read, write
object
• Again succeeds
– Subject writes 1 to object, reads it
• Read returns 1
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-48
Use
• Can analyze covert storage channels
– Noninterference techniques reason in terms of
security levels (attributes of objects)
• Covert timing channels much harder
– You would have to make ordering an attribute
of the objects in some way
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-49
SRMM
• Shared Resource Matrix Methodology
• Goal: identify shared channels, how they are
shared
• Steps:
– Identify all shared resources, their visible attributes
[rows]
– Determine operations that reference (read), modify
(write) resource [columns]
– Contents of matrix show how operation accesses the
resource
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-50
Example
• Multilevel security model
• File attributes:
– existence, owner, label, size
• File manipulation operations:
– read, write, delete, create
– create succeeds if file does not exist; gets creator as owner,
creator’s label
– others require file exists, appropriate labels
• Subjects:
– High, Low
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-51
Shared Resource Matrix
read
existence
R
write
R
owner
delete
create
R, M
R, M
R
M
label
R
R
R
M
size
R
M
M
M
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-52
Covert Storage Channel
• Properties that must hold for covert storage
channel:
1. Sending, receiving processes have access to
same attribute of shared object;
2. Sender can modify that attribute;
3. Receiver can reference that attribute; and
4. Mechanism for starting processes, properly
sequencing their accesses to resource
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-53
Example
• Consider attributes with both R, M in rows
• Let High be sender, Low receiver
• create operation both references, modifies existence
attribute
– Low can use this due to semantics of create
• Need to arrange for proper sequencing accesses to
existence attribute of file (shared resource)
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-54
Use of Channel
– 3 files: ready, done, 1bit
– Low creates ready at High level
– High checks that file exists
– If so, to send 1, it creates 1bit; to send 0, skip
– Delete ready, create done at High level
– Low tries to create done at High level
– On failure, High is done
– Low tries to create 1bit at level High
– Low deletes done, creates ready at High level
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-55
Covert Timing Channel
• Properties that must hold for covert timing
channel:
1. Sending, receiving processes have access to same
attribute of shared object;
2. Sender, receiver have access to a time reference (wall
clock, timer, event ordering, …);
3. Sender can control timing of detection of change to that
attribute by receiver; and
4. Mechanism for starting processes, properly sequencing
their accesses to resource
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-56
Example
• Revisit variant of KVM/370 channel
– Sender, receiver can access ordering of requests by disk
arm scheduler (attribute)
– Sender, receiver have access to the ordering of the
requests (time reference)
– High can control ordering of requests of Low process
by issuing cylinder numbers to position arm
appropriately (timing of detection of change)
– So whether channel can be exploited depends on
whether there is a mechanism to (1) start sender,
receiver and (2) sequence requests as desired
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-57
Uses of SRM Methodology
• Applicable at many stages of software life cycle
model
– Flexbility is its strength
• Used to analyze Secure Ada Target
– Participants manually constructed SRM from flow
analysis of SAT model
– Took transitive closure
– Found 2 covert channels
• One used assigned level attribute, another assigned type
attribute
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-58
Summary
• Methodology comprehensive but incomplete
– How to identify shared resources?
– What operations access them and how?
• Incompleteness a benefit
– Allows use at different stages of software engineering life cycle
• Incompleteness a problem
– Makes use of methodology sensitive to particular stage of software
development
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-59
Covert Channels
• Shared resources as communication paths
• Covert storage channel uses attribute of shared resource
– Disk space, message size, etc.
• Covert timing channel uses temporal or ordering relationship among
accesses to shared resource
– Regulating CPU usage, order of reads on disk
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-60
Example Storage Channel
• Processes p, q not allowed to communicate
– But they share a file system!
• Communications protocol:
– p sends a bit by creating a file called 0 or 1, then a second file
called send
• p waits until send is deleted before repeating to send another bit
– q waits until file send exists, then looks for file 0 or 1; whichever
exists is the bit
• q then deletes 0, 1, and send and waits until send is recreated before
repeating to read another bit
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-61
Example Timing Channel
• System has two VMs
– Sending machine S, receiving machine R
• To send:
– For 0, S immediately relinquishes CPU
• For example, run a process that instantly blocks
– For 1, S uses full quantum
• For example, run a CPU-intensive process
• R measures how quickly it gets CPU
– Uses real-time clock to measure intervals between access to shared
resource (CPU)
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-62
Example Covert Channel
• Uses ordering of events; does not use clock
• Two VMs sharing disk cylinders 100 to 200
– SCAN algorithm schedules disk accesses
– One VM is High (H), other is Low (L)
• Idea: L will issue requests for blocks on cylinders 139 and 161 to be
read
– If read as 139, then 161, it’s a 1 bit
– If read as 161, then 139, it’s a 0 bit
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-63
How It Works
• L issues read for data on cylinder 150
– Relinquishes CPU when done; arm now at 150
• H runs, issues read for data on cylinder 140
– Relinquishes CPU when done; arm now at 140
• L runs, issues read for data on cylinders 139 and 161
– Due to SCAN, reads 139 first, then 161
– This corresponds to a 1
• To send a 0, H would have issued read for data on cylinder
160
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-64
Analysis
• Timing or storage?
– Usual definition  storage (no timer, clock)
• Modify example to include timer
– L uses this to determine how long requests take to complete
– Time to seek to 139 < time to seek to 161  1; otherwise, 0
• Channel works same way
– Suggests it’s a timing channel; hence our definition
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-65
Noisy vs. Noiseless
• Noiseless: covert channel uses resource
available only to sender, receiver
• Noisy: covert channel uses resource
available to others as well as to sender,
receiver
– Idea is that others can contribute extraneous
information that receiver must filter out to
“read” sender’s communication
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-66
Key Properties
• Existence: the covert channel can be used to send/receive information
• Bandwidth: the rate at which information can be sent along the channel
• Goal of analysis: establish these properties for each channel
– If you can eliminate the channel, great!
– If not, reduce bandwidth as much as possible
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-67
Step #1: Detection
• Manner in which resource is shared controls
who can send, receive using that resource
–
–
–
–
Noninterference
Shared Resource Matrix Methodology
Information flow analysis
Covert flow trees
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-68
Noninterference
• View “read”, “write” as instances of
information transfer
• Then two processes can communicate if
information can be transferred between
them, even in the absence of a direct
communication path
– A covert channel
– Also sounds like interference …
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-69
Example: SAT
• Secure Ada Target, multilevel security policy
• Approach:
– (i, l) removes all instructions issued by subjects dominated by
level l from instruction stream i
– A(i, ) state resulting from execution of i on state 
– .v(s) describes subject s’s view of state 
• System is noninterference-secure iff for all instruction
sequences i, subjects s with security level l(s), states ,
A((i, l(s)), ).v(s) = A(i, ).v(s)
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-70
Theorem
• Version of the Unwinding Theorem
• Let  be set of system states. A specification is
noninterference-secure if, for each subject s at
security level l(s), there exists an equivalence
relation :  such that
– for 1, 2  , when 1  2, 1.v(s) = 2.v(s)
– for 1, 2   and any instruction i, when 1  2, A(i,
1)  A(i, 2)
– for    and instruction stream i, if (i, l(s)) is empty,
A((i, l(s)), ).v(s) = .v(s)
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-71
Intuition
• System is noninterference-secure if:
– Equivalent states have the same view for each
subject
– View remains unchanged if any instruction is
executed
– Instructions from higher-level subjects do not
affect the state from the viewpoint of the lowerlevel subjects
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-72
Analysis of SAT
• Focus on object creation instruction and
readable object set
• In these specifications:
–
–
–
–
s subject with security level l(s)
o object with security level l(o), type (o)
 current state
Set of existing objects listed in a global object
table T()
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-73
Specification 1
• object_create:
[  = object_create(s,o,l(o),(o),)   ≠  ]

[ o  T()  l(s) ≤ l(o) ]
• The create succeeds if, and only if, the object does not yet
exist and the clearance of the object will dominate the
clearance of its creator
– In accord with the “writes up okay” idea
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-74
Specification 2
• readable object set: set of existing objects that
subject could read
– can_read(s, o, ) true if in state , o is of a type that s
can read (ignoring permissions)
• o  readable(s, )  [ o  T() 
(l(o) ≤ l(s))  (can_read(s, o, ))]
• Can’t read a nonexistent object, one with a
security level that the subject’s security level does
not dominate, or object of the wrong type
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-75
Specification 3
• SAT enforces tranquility
– Adding object to readable set means creating new object
• Add to readable set:
[o  readable(s, )  o  readable(s, )]  [ =
object_create(s,o,l(o),(o),)  o  T()  l(s) ≤ l(o) ≤ l(s) 
can_read(s, o, )]
• Says object must be created, levels and discretionary
access controls set properly
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-76
Check for Covert Channels
• 1, 2 the same except:
– o exists only in latter
– (l(o) ≤ l(s))
• Specification 2:
– o  readable(s, 1) { o doesn’t exist in 1}
– o  readable(s, 2) { (l(o) ≤ l(s)) }
• Thus 1  2
– Condition 1 of theorem holds
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-77
Continue Analysis
• s issues command to create o with:
– l(o) = l(s)
– of type with can_read(s, o, 1)
• 1 state after object_create(s, o, l(o), (o), 1)
• Specification 1
– 1 differs from 1 with o in T(1)
• New entry satisfies:
– can_read(s, o, 1)
– l(s) ≤ l(o) ≤ l(s), where s created o
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-78
Continue Analysis
• o exists in 2 so:
2 = object_create(s, o, 2) = 2
• But this means
[ A(object_create(s, o, l(o), (o), 2), 2) 
A(object_create(s, o, l(o), (o), 1), 1) ]
– Because create fails in 2 but succeeds in 1
• So condition 2 of theorem fails
• This implies a covert channel as system is not
noninterference-secure
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-79
Example Exploit
• To send 1:
– High subject creates high object
– Recipient tries to create same object but at low
• Creation fails, but no indication given
– Recipient gives different subject type permission to read, write
object
• Again fails, but no indication given
– Subject writes 1 to object, reads it
• Read returns nothing
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-80
Example Exploit
• To send 0:
– High subject creates nothing
– Recipient tries to create same object but at low
• Creation succeeds as object does not exist
– Recipient gives different subject type permission to read, write
object
• Again succeeds
– Subject writes 1 to object, reads it
• Read returns 1
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-81
Use
• Can analyze covert storage channels
– Noninterference techniques reason in terms of
security levels (attributes of objects)
• Covert timing channels much harder
– You would have to make ordering an attribute
of the objects in some way
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-82
SRMM
• Shared Resource Matrix Methodology
• Goal: identify shared channels, how they are
shared
• Steps:
– Identify all shared resources, their visible attributes
[rows]
– Determine operations that reference (read), modify
(write) resource [columns]
– Contents of matrix show how operation accesses the
resource
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-83
Example
• Multilevel security model
• File attributes:
– existence, owner, label, size
• File manipulation operations:
– read, write, delete, create
– create succeeds if file does not exist; gets creator as owner,
creator’s label
– others require file exists, appropriate labels
• Subjects:
– High, Low
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-84
Shared Resource Matrix
read
existence
R
write
R
owner
delete
create
R, M
R, M
R
M
label
R
R
R
M
size
R
M
M
M
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-85
Covert Storage Channel
• Properties that must hold for covert storage
channel:
1. Sending, receiving processes have access to
same attribute of shared object;
2. Sender can modify that attribute;
3. Receiver can reference that attribute; and
4. Mechanism for starting processes, properly
sequencing their accesses to resource
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-86
Example
• Consider attributes with both R, M in rows
• Let High be sender, Low receiver
• create operation both references, modifies existence
attribute
– Low can use this due to semantics of create
• Need to arrange for proper sequencing accesses to
existence attribute of file (shared resource)
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-87
Use of Channel
– 3 files: ready, done, 1bit
– Low creates ready at High level
– High checks that file exists
– If so, to send 1, it creates 1bit; to send 0, skip
– Delete ready, create done at High level
– Low tries to create done at High level
– On failure, High is done
– Low tries to create 1bit at level High
– Low deletes done, creates ready at High level
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-88
Covert Timing Channel
• Properties that must hold for covert timing
channel:
1. Sending, receiving processes have access to same
attribute of shared object;
2. Sender, receiver have access to a time reference (wall
clock, timer, event ordering, …);
3. Sender can control timing of detection of change to that
attribute by receiver; and
4. Mechanism for starting processes, properly sequencing
their accesses to resource
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-89
Example
• Revisit variant of KVM/370 channel
– Sender, receiver can access ordering of requests by disk
arm scheduler (attribute)
– Sender, receiver have access to the ordering of the
requests (time reference)
– High can control ordering of requests of Low process
by issuing cylinder numbers to position arm
appropriately (timing of detection of change)
– So whether channel can be exploited depends on
whether there is a mechanism to (1) start sender,
receiver and (2) sequence requests as desired
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-90
Uses of SRM Methodology
• Applicable at many stages of software life cycle
model
– Flexbility is its strength
• Used to analyze Secure Ada Target
– Participants manually constructed SRM from flow
analysis of SAT model
– Took transitive closure
– Found 2 covert channels
• One used assigned level attribute, another assigned type
attribute
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-91
Summary
• Methodology comprehensive but incomplete
– How to identify shared resources?
– What operations access them and how?
• Incompleteness a benefit
– Allows use at different stages of software engineering life cycle
• Incompleteness a problem
– Makes use of methodology sensitive to particular stage of software
development
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-92
Measuring Capacity
• Intuitively, difference between
unmodulated, modulated channel
– Normal uncertainty in channel is 8 bits
– Attacker modulates channel to send
information, reducing uncertainty to 5 bits
– Covert channel capacity is 3 bits
• Modulation in effect fixes those bits
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-93
Formally
• Inputs:
– A input from Alice (sender)
– V input from everyone else
– X output of channel
• Capacity measures uncertainty in X given A
• In other terms: maximize
I(A; X) = H(X) – H(X | A)
with respect to A
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-94
Example (continued)
• If A, V independent, p=p(A=0), q=p(V=0):
–
–
–
–
p(A=0,V=0) = pq
p(A=1,V=0) = (1–p)q
p(A=0,V=1) = p(1–q)
p(A=1,V=1) = (1–p)(1–q)
• So
– p(X=0) = p(A=0,V=0)+p(A=1,V=1)
= pq + (1–p)(1–q)
– p(X=1) = p(A=0,V=1)+p(A=1,V=0)
= (1–p)q + p(1–q)
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-95
More Example
• Also:
–
–
–
–
p(X=0|A=0) = q
p(X=0|A=1) = 1–q
p(X=1|A=0) = 1–q
p(X=1|A=1) = q
• So you can compute:
– H(X) = –[(1–p)q + p(1–q)] lg [(1–p)q + p(1–q)]
– H(X|A) = –q lg q – (1–q) lg (1–q)
– I(A;X) = H(X)–H(X|A)
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-96
I(A;X)
I(A; X) = – [pq + (1 – p)(1 – q)] lg [pq + (1 – p)(1 – q)] –
[(1 – p)q + p(1 – q)] lg [(1 – p)q + p(1 – q)] +
q lg q + (1 – q) lg (1 – q)
• Maximum when p = 0.5; then
I(A;X) = 1 + q lg q + (1–q) lg (1–q) = 1–H(V)
• So, if V constant, q = 0, and I(A;X) = 1
• Also, if q = p = 0.5, I(A;X) = 0
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-97
Analyzing Capacity
• Assume a noisy channel
• Examine covert channel in MLS database
that uses replication to ensure availability
– 2-phase commit protocol ensures atomicity
– Coordinator process manages global execution
– Participant processes do everything else
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-98
How It Works
• Coordinator sends message to each participant
asking whether to abort or commit transaction
– If any says “abort”, coordinator stops
• Coordinator gathers replies
– If all say “commit”, sends commit messages back to
participants
– If any says “abort”, sends abort messages back to
participants
– Each participant that sent commit waits for reply; on
receipt, acts accordingly
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-99
Exceptions
• Protocol times out, causing party to act as if
transaction aborted, when:
– Coordinator doesn’t receive reply from
participant
– Participant who sends a commit doesn’t receive
reply from coordinator
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-100
Covert Channel Here
• Two types of components
– One at Low security level, other at High
• Low component begins 2-phase commit
– Both High, Low components must cooperate in the 2-phase
commit protocol
• High sends information to Low by selectively aborting
transactions
– Can send abort messages
– Can just not do anything
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-101
Note
• If transaction always succeeded except
when High component sending information,
channel not noisy
– Capacity would be 1 bit per trial
– But channel noisy as transactions may abort for
reasons other than the sending of information
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-102
Analysis
• X random variable: what High user wants to send
– Assume abort is 1, commit is 0
– p = p(X=0) probability High sends 0
• A random variable: what Low receives
– For noiseless channel X = A
• n+2 users
– Sender, receiver, n others
– q probability of transaction aborting at any of these n
users
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-103
Basic Probabilities
• Probabilities of receiving given sending
–
–
–
–
p(A=0|X=0) = (1–q)n
p(A=1|X=0) = 1–(1–q)n
p(A=0|X=1) = 0
p(A=1|X=1) = 1
• So probabilities of receiving values:
– p(A=0) = p(1–q)n
– p(A=1) = 1–p(1–q)n
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-104
More Probabilities
• Given sending, what is receiving?
–
–
–
–
p(X=0|A=0) = 1
p(X=1|A=0) = 0
p(X=0|A=1) = p[1–(1–q)n] / [1–p(1–q)n]
p(X=1|A=1) = (1–p) / [1–p(1–q)n]
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-105
Entropies
• H(X) = –p lg p – (1–p) lg (1–p)
• H(X|A) = –p[1–(1–q)n] lg p
– p[1–(1–q)n] lg [1–(1–q)n]
+ [1–p(1–q)n] lg [1–p(1–q)n]
– (1–p) lg (1–p)
• I(A;X) = –p(1–q)n lg p
+ p[1–(1–q)n] lg [1–(1–q)n]
– [1–p(1–q)n] lg [1–p(1–q)n]
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-106
Capacity
• Maximize this with respect to p (probability
that High sends 0)
– Notation: m = (1–q)n, M = (1–m)(1–m)
– Maximum when p = M / (Mm+1)
• Capacity is:
I(A;X) = Mm lg p + M(1–m) lg (1–m) + lg (Mm+1)
(Mm+1)
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-107
Mitigation of Covert Channels
• Problem: these work by varying use of shared
resources
• One solution
– Require processes to say what resources they need
before running
– Provide access to them in a way that no other process
can access them
• Cumbersome
– Includes running (CPU covert channel)
– Resources stay allocated for lifetime of process
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-108
Alternate Approach
• Obscure amount of resources being used
– Receiver cannot distinguish between what the
sender is using and what is added
• How? Two ways:
– Devote uniform resources to each process
– Inject randomness into allocation, use of
resources
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-109
Uniformity
• Variation of isolation
– Process can’t tell if second process using
resource
• Example: KVM/370 covert channel via
CPU usage
– Give each VM a time slice of fixed duration
– Do not allow VM to surrender its CPU time
• Can no longer send 0 or 1 by modulating CPU usage
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-110
Randomness
• Make noise dominate channel
– Does not close it, but makes it useless
• Example: MLS database
– Probability of transaction being aborted by user other
than sender, receiver approaches 1
• q1
– I(A; X)  0
– How to do this: resolve conflicts by aborting increases
q, or have participants abort transactions randomly
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-111
Problem: Loss of Efficiency
• Fixed allocation, constraining use
– Wastes resources
• Increasing probability of aborts
– Some transactions that will normally commit
now fail, requiring more retries
• Policy: is the inefficiency preferable to the
covert channel?
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-112
Example
• Goal: limit covert timing channels on VAX/VMM
• “Fuzzy time” reduces accuracy of system clocks
by generating random clock ticks
– Random interrupts take any desired distribution
– System clock updates only after each timer interrupt
– Kernel rounds time to nearest 0.1 sec before giving it to
VM
• Means it cannot be more accurate than timing of interrupts
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-113
Example
• I/O operations have random delays
• Kernel distinguishes 2 kinds of time:
– Event time (when I/O event occurs)
– Notification time (when VM told I/O event occurred)
• Random delay between these prevents VM from figuring out
when event actually occurred)
• Delay can be randomly distributed as desired (in security
kernel, it’s 1–19ms)
– Added enough noise to make covert timing channels
hard to exploit
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-114
Improvement
• Modify scheduler to run processes in
increasing order of security level
– Now we’re worried about “reads up”, so …
• Countermeasures needed only when
transition from dominating VM to
dominated VM
– Add random intervals between quanta for these
transitions
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-115
The Pump
• Tool for controlling communications path between
High and Low
communications b uffer
July 1, 2004
Low
buffer
High
buffer
Low process
High process
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-116
Details
• Communications buffer of length n
– Means it can hold up to n messages
• Messages numbered
• Pump ACKs each message as it is moved from
High (Low) buffer to communications buffer
• If pump crashes, communications buffer preserves
messages
– Processes using pump can recover from crash
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-117
Covert Channel
• Low fills communications buffer
– Send messages to pump until no ACK
– If High wants to send 1, it accepts 1 message from
pump; if High wants to send 0, it does not
– If Low gets ACK, message moved from Low buffer to
communications buffer  High sent 1
– If Low doesn’t get ACK, no message moved  High
sent 0
• Meaning: if High can control rate at which pump
passes messages to it, a covert timing channel
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-118
Performance vs. Capacity
• Assume Low process, pump can process
messages more quickly than High process
• Li random variable: time from Low sending
message to pump to Low receiving ACK
• Hi random variable: average time for High
to ACK each of last n messages
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-119
Case1: E(Li) > Hi
• High can process messages more quickly than Low can get
ACKs
• Contradicts above assumption
– Pump must be delaying ACKs
– Low waits for ACK whether or not communications buffer is full
• Covert channel closed
• Not optimal
– Process may wait to send message even when there is room
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-120
Case 2: E(Li) < Hi
• Low sending messages faster than High can
remove them
• Covert channel open
• Optimal performance
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-121
Case 3: E(Li) = Hi
• Pump, processes handle messages at same
rate
• Covert channel open
– Bandwidth decreased from optimal case (can’t
send messages over covert channel as fast)
• Performance not optimal
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-122
Adding Noise
• Shown: adding noise to approximate case 3
– Covert channel capacity reduced to 1/nr where r time from Low
sending message to pump to Low receiving ACK when
communications buffer not full
– Conclusion: use of pump substantially reduces capacity of covert
channel between High, Low processes when compared to direct
connection
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-123
Key Points
• Confinement problem central to computer
security
– Arises in many contexts
• VM, sandboxes basic ways to handle it
– Each has benefits and drawbacks
• Covert channels are hard to close
– But their capacity can be measured and reduced
July 1, 2004
Computer Security: Art and Science
©2002-2004 Matt Bishop
Slide #17-124

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz